Rethinking the Pentest Delivery Model: From Reports to Real Outcomes

We’re going to be discussing what it means to move from just reporting to actually real outcomes, how you help your customers and your c your company or your uh constituents truly make progress in their security posture based on the reporting that’s coming out of your your pentest and and engagements. Uh, so we’re really got a lot of great stuff to talk about today. Ben and Ido, thanks for joining us. We’ve also got Sarah here with uh with our Plex Track team. I’m going to have everybody just kind of introduce themselves and give a little bit of background uh before we kind of dive into the topic. Uh I’m Dan Declaw. I’ll start. I’m Dan Declaus, the founder of Plexra. I’ve been in cyber security for over 20 years now and excited to just be able to share uh with the world how we’ve been able to help customers and and and companies really make uh make their security posture better and deliver real outcomes through pentesting and proactive security. So excited to be here with here with you all today. Uh Sarah, why don’t you introduce yourself and then we’ll have the cyber guard team introduce that. Yeah, thanks Dan. Um, so my name is Sarah Foley and I’m the VP of product management here at Plexra. I joined just almost two years ago and time’s been uh definitely flying as I’ve been having a blast here. Um, and before Plexra, I was actually focused on security uh integrations more on the endpoint security side. So it’s exciting to come to Plexra, get to work on the offensive security side and really see our platform, you know, uh, come to life in that exposure assessment platform space. Ben, great Ben. Thanks, Dan, Sarah. Hi, everyone. My name is Ben Ready. I’m the director of the offensive security and incident response teams at Cyber Advantage. I’ve been in the cyber security space for about 15 years now uh from both sides. Uh I like the work. I like to tinker with stuff. I like to see where things break, which what got me where I am today. and I’m just happy working with with our clients and delivering them uh the quality the good quality reports and testing that we produce for them. Awesome. Yeah, thanks Ben. Thanks for joining us. Um Ido. Hi, my name is Idamit. I’m a former software and DevOps engineer and a cyber security consultant at Cybergard Advantage. Um I’m very excited to be here and uh thank you. Back to you Dan. Yeah, great. Well, yeah, thanks and thanks everybody for joining us. We’re really uh uh we know your time is valuable. So, we’re excited to be sharing uh some of the the tips and tricks that we’ve learned and just discuss how we’ve been able to help customers uh improve their security outcomes as a whole. Uh really this this today’s webinar is really for security leaders, proactive security testers, practitioners, anybody that’s trying to learn like hey how do we move from more static and slowm moving processes re related to uh pentest engagements, pentest results, proactive security engagements, any kind of any kind of proactive uh testing that’s going on. How do we move those results into actual uh remediation tactics and and and what are some tips and tricks? So, so that’s really what we’re going to be sharing today. Um, the thesis for today is that the the traditional pentest delivery model is broken, right? So, I was a pentester for many years and uh one thing I really hated was how long it would take us to to write the report, but then also when we would deliver that report, we knew that like people weren’t going to be doing things with it, right? They would either be putting it on a shelf or just copy and pasting out the information that they felt relevant to then try and go fix. We’d come back for a retest. Oftent times we’d be rewriting a lot of the same findings from the previous engagement and then we’d probably be finding new things as well. So the the the issue at hand is like how do we actually ensure that these these issues are getting fixed? And one of those ways is to have a better delivery model, a better process around how do we get these results into the hands of the people that need to be fixing them? How do they know how to reproduce them? How do we actually ensure that they are uh knowing what to do in order to fix it and actually following through with that work? Uh so uh it’s the whole entire concept of mobilizing the troops, you know, the mobilization phase as Gartner likes to put it within the the continuous threat exposure management category. Uh so really the bottleneck that that we’ve seen and that Ben and Ido are going to uh share a little bit about their uh their experience isn’t necessarily the testing you know it’s the reporting and the handoff right so uh how do you get those how do you get that report generated quickly post engagement how do you get those results into the hands of the right people uh and and to improve that speed to to delivery is is is crucial because especially in the world of AI especially in the in the uh the transformation information of the industry that we’re in right now and experiencing, you know, firsthand. AI continues will continue to accelerate and and I predict that it’s going to continue to help accelerate attackers at a much faster pace uh until until we can actually use AI to help our defenses and our proactive security posture. So, so how we improve those speed that that speed to delivery, how we improve the the outcomes uh for uh for enterprises and customers is really what we’re all about. Uh so uh so with that uh oh and yeah so sorry I kind of jumped ahead or spoke to the slide before I transitioned it but but we’re going to talk a little bit about how Cybergard Advantage used Plexra to redesign their delivery model and and what kind of outcomes this truly has enabled for their customers for businesses uh from an effic efficiency scalability um ensuring that that quality is still there of the engagement the reporting everything that you want out of that report is still is still the highest quality uh without slowing down how to get it into the hands of the right people for tracking remediation which which results in just better outcomes right and and improved security posture testers can come back later and and actually find the new things rather than having to validate the old things aren’t fixed so uh so this this all has led to like better outcomes for for Cybergard advantage Ben and Ido I I’ll hand it over to you what what uh you know what did you see in terms of some of the outcomes you know by using Plex Track and and what were some of the what were some of the initial uh you know goals that you had when coming when coming to uh to use Plexra? Yeah, thanks Dan. Uh maybe I’ll start us off here. I just want to highlight again what you said at the beginning that we have basically a dead document problem. All right. Most firms have great hackers, but they deliver their brilliance in like more more or so a static PDF that starts dying the moment it’s emailed. Uh, and the failure isn’t like in the findings of the bugs and vulnerabilities. It’s in the fact that the report becomes the bottleneck rather than the road map uh for them to fix the issues. Uh, so that’s why we changed our model and became more more efficient and more productive with our clients. Uh so we’re not just selling security tests. We’re selling a smoother remediation process. Uh so when the delivery fails, the client spends more time in meetings uh explaining the report and actually fixing the vulnerabilities. That’s one of the things they wanted to fix uh by doing that uh whole new approach.

Yeah, exactly. And so so uh so what what has been some of your experience in terms of like you know changing this approach? How hard was it to kind of actually shift some of that shift shift some of your approach? Um, it was actually easier than writing the report in a document. It becomes this living journey instead of a slap that tech teams used to be spooked. They suddenly see a huge document, a lot of lines, a lot of pages and they have to read through and suddenly became this interactive, oh wait, we see this is still open. Who’s taking control of that? When are we fixing this? everything is suddenly moving both for us and for them. And my personal favorite is the historical retention part. Uh we don’t have to go back and reread the entire whatever many lines of what happened last year. We can just click here, see what happened last year, see what’s still open, what’s going on this year. It it creates this streamlining. We never sit and and try to dig back into history trying to find out what happened. Again, that’s just my personal favorite. But in in as a whole um flexrack really streamlines everything for us on the reporting side. It’s it’s the same thing without the headache. So, so talk to us a little bit about uh you know some of the journey that you might have taken with some of your customers and and and how you know you moved from kind of you know like like delayed visibility right so you know the traditional model of hey we’re working on an engagement we’ve got you know say it’s 3 weeks right so you you may be working on that engagement for 3 weeks then you know have have another um you know spell of time so to speak for uh for that reporting phase and then you get the the the delivery into their into their hands via like a static PDF. Talk to us like what was the process like before and like what does it look like now? So I can’t name any clients but um let’s uh take a a let’s say you have found a few critical vulnerabilities and a few high ones and in the traditional way they used to just receive a report. Suddenly they see five really urgent things they have to fix all at once get spooked and scramble all over the place first trying to understand what the issue is and then trying to understand who’s the owner for those issues and then trying to understand the road map to fixing those. in Plexra. As soon as we find it, we just shoot them an email. Hey guys, we found something pretty critical. Please take a look at it. We’ll start testing. So, more things may pop up, but this is what it is and try to find somebody. Suddenly, it becomes those little breadcrumbs that they can uh one by one like attack fix, move on, attack, fix, move on. Instead of this whole here’s a bunch of vulnerabilities we found, you guys have at it. And then it creates this whole um management doesn’t always understand, the developers don’t always understand. You need to have techn technical sessions um try to to pass it over. And in Plexra, it becomes those little bits where they can um not be surprised of them all and just fix them one by one. That’s a great point that you’re making there, Edo, because you know, obviously we allow you to publish those findings even before the full report is published. And that’s a great point that you, you know, you can kind of send those critical things over to your clients so that you’re not, you know, freaking them out when you’re delivering that full report. So that’s a great example of, you know, taking advantage of some of the flexibility within Plex Track on how you can publish that detail. Yep. And we in this in this next slide, you know, we kind of highlight the old way was where static PDF delivery that was it, right? and and we don’t we don’t discredit the value of of a of a of the static report. We always at Plexra feel like that is still a very important artifact of the engagement. It represents that that point in time when when the uh when the assessment was done and and completed but but you need to actually move into actionable results, right? And this is where that process has broken down. So you know from you moving from a static PDF delivery into an enga you know living engagement workflow you know continues to improve the collaboration the efficiency maybe talk to us a little bit about uh how how you know that collaboration post engagement has have you seen have you seen actionable results you know and if demonstrable like outcomes come out of that? Um definitely and it mainly comes down to the different um organizational levels the client has in a static report. You need the same document to be actionable, understandable and and to age well both for seale uh uh employees, both for the engineers themselves, both for uh security people and the clients end. And in Plexra, we already have that sort of uh I want to say division out of the box. The developers know where they where they go. the sea level uh um um position holders know where they go. It’s all in one place. And of course, if we for any other um um aim, let’s say a PCI perspective, they need that report. We can still export it. They have it all there. So again, on that front, Flex Track is a huge huge huge uh relief. It’s it’s the same thing without the headache again to repeat myself. Yeah. And Ben, I’m I’m curious from from your perspective, you know, kind of taking a step back and and talking about the entire engagement life cycle. You know, as a director, you know, you’re you’re probably responsible for not only making sure that your testers are are billable, so to speak. I mean that they have engagements to work on but they that you know you can continue to develop your business in terms of having more clients you know having more engagements being able to probably move to like a continuous testing uh type framework for for certain customers. Um talk to me a little bit about from a director’s perspective of of what you’ve seen how you’ve seen Plexra help um throughout maybe all engage you know all life cycle all phases of the life cycle for an engagement. Yeah, great question. Then uh I think I’ll start with basically on the the how or how or our specific workflow and how it makes our team more efficient efficient basically. Um we don’t start from scratch every time. That’s a big win for us. Uh we maintain a curated vetted findings library that Plex Plexra allows to us. Uh this ensures that every report has the same consistency and high quality remediation guidance that we expect throughout the team. uh regardless of which consultants uh perform the test. Um we use a variety of best-in-class tools like Nessus and Burp and Plexra allows us to normalize the data very fast. Uh the duplicating fighting so the client doesn’t get cluttered reports uh with the same issues listed five times for example. Uh and I guess one of our biggest differentiators is that real time finding review uh we can publish uh like Sarah talked about we can publish the verified findings to the client as we find them which allows their dev teams to start fixing critical holes on day two of the engagements rather on day 20. Uh so I see a huge shift from our clients, our current clients and new clients. We uh sort of pitch this uh approach to them uh and they are all for switching this new approach and getting that um better visibility, better interaction with their teams and they feel part they feel part of the team basically liked mentioned we’re taking them uh to the journey our journey of securing their environments. That’s great. And you mentioned something, you know, that I I think that is is important to kind of highlight. Uh, you know, in like in the beginning stages of the engagement, uh, you’re you’re using, you know, industry standard and and, you know, best-in-class tools like Nessus, Burp, you know, other, you know, probably other other tools as well that we can bring those into Plexra and automatically kind of aggregate them. But then also you mentioned the findings library and I think this is an important this is a really you know key aspect to efficiency and and quality control within Plexra. Talk to us a little bit how your about how your testers maybe use that findings library and then how does it help facilitate uh the QA workflow you know your your QA process before you actually get ready to deliver those results. Yeah definitely. So Plexra allows us to perform the QA in the application itself. So while the findings are uh being drafted, there’s always uh member of the team to conduct the internal peerreview QA process. So Plexra gives us that ability uh in line within the the application itself through each finding and basically what it will look like at the report at the end. But it saves us at the end of the day reporting time and review time once the the testing itself is done. So by incorporating that create process during the test, it again saves us time and effort and gives more uh efficiency to the customer. Yeah. Yeah. And and I’m sure you can maybe you know attest you know Sarah did you have a question but oh no I was just gonna comment that you know I definitely see across our customer base you know with the content library they’re very specific as well as you know they can be in the tone of voice or the way that they’re delivering the report. So having that kind of consistent uh tone is definitely key you know as you’re uh expanding across more pentesters in your firm. So, yeah. And Edido, I don’t know if you’ve if you’ve got any comments on like, you know, just using that that that content library, you know, how how it might help, you know, just continue to ensure that consistency and quality without slowing down. Of course, um, for me, it’s um when those relatively special findings occur and I’m like, how am I supposed to report this? I mean, I understand the problem, but I need to put it into words now and and make it as understandable as I can. Um, and then I’m Oh, wait a second. Maybe somebody already Oh, okay. Here we can see it very visibly. It’s written very well. And the former time the last time we found this, the client very much liked this this description already. So, we can start by reusing this. It’s all there. For me, is that part it’s part of that same historical retention. It doesn’t have to be one client with one test. It can be our entire work as a whole in one place as a database of sorts. Yeah. Yeah. And Oh, sorry. Ben, did you have Go ahead. Yeah. just for me as a director as a high level uh nugget here that I find it very useful on board new penetration testers and consultant with that because they don’t need to go through the process of uh what am I doing now where am I starting am I doing the boarding like I did before in the previous form uh like I don’t mention we have that library we have that QA process so they are very fast to uh on board and do the work as we expect as our clients expected And then and then I would I would think that this also can help uh help onboard the them you know a lot faster right in terms of training you know they understand how you you know the voice and how you you present those findings. Exactly. Yeah. Yeah. Um, so, so let’s talk a little bit. So, so with that QA workflow that we have within Plex Track, uh, that that continues to allow you to assign assign comments, track changes, all that to people that are doing the the review. We talked we talked a little bit about that. Uh and then once you actually can publish the results, talk to us a little bit about how uh you know any examples that you have of like customers that have been able to truly start getting their their issues fixed and have better visibility. Have you have you seen you know improvements there? Yes, definitely. And uh it all boils down to how Plexra present the finding findings and they have the issue tracking option there which it’s kind of like a conversation between our consultants and the client uh development team. Uh so whenever a publish uh we publish a finding and they get that uh into their mailbox or through their um ticketing service whatever ticketing platform integration they use um and they start tracking this or fixing there’s a conversation going between uh us and them through the application and we see if they have any questions they come back to us they don’t need to wait for an email to go on and then the next day. So there’s a lot of uh speed in terms of remediation and if it was something was not clear by defining itself it is made clear during the time that they ask us those questions. Yeah. And and Sarah, maybe maybe talk a little bit about uh what we have in Plexra related to kind of workflow automation and and things like that for AB. Absolutely. I mean, you obviously you mentioned our QA workflow which just helps you know the reviewers or the testers actually make sure that the report is you know ready and um available for delivery. Uh so that was just recently introduced uh within Plexra in our 225 uh version. So that should be available to all of our customers now and that’s really exciting. But then as Dan mentioned, we’ve also introduced a QA or excuse me, a workflow automation tool as well uh that really helps you uh you know automate that whole process. And that can be you know implemented on maybe your report findings you know maybe if a report finding meets a certain condition you might want to assign it to a certain owner or send it to a certain remediation tool things like that. you can, you know, have a lot of granularity on what might trigger that workflow automation. And then in that workflow automation tool as well, you know, you can really help that create your report even faster. So perhaps when you’re pulling down, you know, findings with a certain tag, maybe you have a ISO tag associated to that or some kind of compliance test, you can make sure as you’re pulling those findings into the report for your client that that’s applying your appropriate template within Plex Track as well. So just a few automated steps that you know Plexra can Plex Track can help you set up as you’re doing different types of uh penetration or security tests as well. So uh but yeah, we’ve had a lot of great uh success from our customers uh you know using our workflow automation tool because it’s so simple to use. That’s one thing I’m really proud about. You don’t have to be a coder to use it. It’s a very simple you know if these conditions are met then perform these set of actions. So definitely been um seeing our customers take that uh for complex workflows or even simple workflows like close outformational uh findings as they come in. So yeah, fantastic. Yeah. and and you know just the the aspect of being able to automate as much of this process as possible really helps not only uh improve morale for the testers and and and the folks that you know are are dealing with some of these you know smaller tasks but like in the reporting aspects cuz cuz I mean I I think Ido and Ben you know we can all relate that hackers love to hack we love to test we love to find the intricate exploits and be able to you know really dig in and and see how we can think like an attacker that’s that’s the fun part of the job and with every job there’s always some the not so much fun parts and that’s like the actual like hey I actually have to write this up and report this but you want to you want to ensure that your customers understand exactly what you did and the hard work that put that went into it so that report is you know is a really important piece of of the engagement it’s it’s probably the most important piece and so uh being able to automate as much of that process as possible and then once they have it you know automating automating what they can do with it making their lives easier which brings better visibility, right? Because the the the more automation you can have around actually taking this finding and moving it to where it needs to go without a lot of uh, you know, handholding and and, you know, asking questions, you know, being able to automate that. It really does improve the actual outcomes for, you know, for those results. Um, do you have any do you have any other examples like Ben or Edido of of of of customers that you’ve you’ve been able to see maybe some progress from like what you were doing before versus using Plexra? Of course. Um, in the past I had to make spreadsheets and and every time it it was a new a whole new thing with new uh columns to populate for every same thing that I was doing before. I mean the vulnerabilities don’t change but the requirement from the client does and that sort of integration where directly where I report to they can just take that away to their own platform and track how they’re they’re fixing it not only streamlines things it makes it faster and um that our entire communication with the client improves as a whole as a result of that. Yeah, and I think I’ve definitely seen, you know, with some of the flexibility in the mobilization or remediation phase as well. You know, we now have support for Azure DevOps, uh, which we didn’t before. Um, we also have support for the Service Now marketplace. We’ve been seeing some customers, you know, push to that marketplace support and of course Jira. And I think, you know, being able to, like you said, you can push those uh, findings into their tool of choice. You can also allow it to perhaps birectionally sync back if they did want to, you know, share that information with you. So, giving them that type of flexibility to, you know, have it go into their ecosystem versus coming back into yours, um, I’ve seen really be an advantage across clients as well. Yeah, exactly. And so, I did want to did want to highlight, hey, we’re going to have a Q&A session here in in just a minute. Uh so if you do have any questions for for us or the the Cyberguard Advantage team, feel free to use the Q&A uh section and and we’ll answer those here in a second. But um as we kind of you know kind of talk talked you know we’ve talked a lot about how we’ve helped you know make the team more efficient for their reporting and their QA workflow and then having having you know ensuring that quality without you actually and actually speeding up the reporting process um you know and and then results in better better outcomes for the clients. what other f final kind of topics uh you know have you seen in terms of what is the what’s a better out like what have the been the outcomes for your business as cyberg guard advantage uh for us as a business uh we spoke about at length in terms of efficiency which actually translate to cost to the client and give us gives us the opportunity to uh have those uh more thorough engagements for less cost for the client for some uh some engagements uh so for example we had a large client uh uh two years ago that started using Plexra. They they had a big environment with many applications that need to be tested at as separate engagements and they didn’t want a checkbox activity. They didn’t didn’t want a checkbox report. They were used to getting the penetration test report and then uh later after a few weeks or few months a retest report. So in the in the case where we introduced them to Plex track and they were able to assign those findings to specific individuals from from their team and fixed them during the engagement, they ended up getting just one final report that had cut down all the things were fixed. Only the things were remaining were there which saved them a lot of time going back and forth and to the stakeholders and displaying a bunch of findings there that were going to be fixed anyway. Uh and for us again it saves us on additional effort for reporting at the end and going back and forth uh through many months uh with the client. So there’s a great value to to the clients there. That’s yeah that’s great. And and uh I think you know so like without Plex Track how how long like how long do you think that that you know that whole process would have taken you know both from like getting the report into their hands and then that back and forth during their during their kind of remediation life cycle. Uh typically and historically uh if a penetration test uh takes uh two three weeks and then traditionally a report will take another two weeks to produce and deliver to the client uh waiting for them to digest the report and and disseminate throughout all the uh different stakeholders and then come back to us with questions and then uh have a report walkthrough sessions with them help them along the way. uh this process can take up to uh six months if not more sometimes depending on the size of the environment. Uh and we were able to reduce this for a to a couple of weeks worth of effort uh and duration with select clients. Yeah. So for I mean from months to weeks is is pretty demonstrable. So you know how how does that help then your business as a whole? I mean I would I would think that you know it’s it’s allowed you to to scale. Definitely. Well, first of all, allows us to do more engagement in in a shorter time frame. Uh we were not able to do that before. Uh and when clients see that we still maintain the quality that they were used to before, uh and still doing the same good work that we did before, but in a much more uh faster way and and the most important part is the remediation for the clients. So they were able to remediate uh things faster which benefits all of us and repeat customers and uh getting uh word of mouth out there and getting us new clients throughout that through this uh we’re able to uh grow our practice basically. Yeah. Which is uh you know which which is just better better outcomes for everybody not only as as a business but also for your clients. you know, being able to feel like, hey, uh, you’re able to do more for them in a shorter amount of time, right? Uh, you know, go deeper on on a specific engagement or if you, you know, you got those continuous engagement philosophy or pair, you know, contracts where you can do testing on a recurring basis, you can you can get f further, you know, further into the environment faster. You can, you know, cover more of the scope and the depth. So uh you know that’s that’s really you know trying to stay one step ahead of of the attackers as much as possible right? Yeah definitely that that’s the basically the shift left approach that we have also implemented on some of our clients that have those environments and are open to this. So they uh basically it’s not a time boxed activity or or engagement. Uh we are helping them along the all the entire of life cycle of the application development from start to finish. we’re testing throughout all the stages and they see it almost live in the on the platform. Yeah. Yeah. And then uh you know from the from the uh just like the the I’m going to ask you this question like kind of talk to me like has has morale or within your testing team you know changed at all through using Plex Track? Yes. Yes it has. Um the collaboration aspect of it having to version different documents. Oh, this guy has looked at this yet. Uh, did he review this document yet? Suddenly, it becomes again that live thing. It’s always up to date. Hey man, I I entered some new findings. Can you please help me review them before we post them to the clients? And uh um another manager comes in, he’s like, “Hey guys, I saw you entered those. This is not a good finding. Please like shift it. It’s the verbiage here is not as good.” Um, it it becomes that live thing that takes versioning out of the equation and allows us to collaborate live on the same platform instead of having to send documents between each other or uh even consolidate them on on our own um place inside the company and of course the visibility to the client as well. Does the client already did they already get that or can we maybe uh touch it up a little bit before because uh I just thought about a better way to put this finding into uh words for example or change that screenshot. Yeah, we introduced our you know real-time collaboration. It seems like so long ago uh now Dan but you know it was a great point you know that you know really allowing even your testers to come in there and work confidently together at the same time on the same report is a huge time savings itself. And then you know uh we’re releasing out uh as we speak here a revision history feature so that on those real-time collaboration fields you can feel confident that you know all of that data is there if you did need to go back to a previous version or things like that. So you know we I often take for granted some of the uh real-time collaboration features that we implemented a while back and how you know impactful they really are to our testers. So it’s a great point. Yeah. Well, we’ve we’ve talked a lot about it um from your guys’s perspective. We wanted to kind of wrap this part of the the session up with just some some actual, you know, actual quotes and maybe talk through us, you know, you don’t have to read them all, but maybe talk through each one of like, you know, what the customer might have been experiencing and and now what they’re able to do, you know, with you through Plexra. Yeah. So, what I like about this feedback is that even though it’s from different clients, the team is really consistent here, right? The first thing we keep hearing is clarity. Uh clients appreciate that uh the findings are easy to understand, the evidence is strong, and they know what to do next. Uh that’s a big one because the report only matters if it actually helps people take action. Uh the second thing is speed to action, not just speed to delivery. Uh one client called out that they didn’t have to wait until the final report to start making decisions. Uh they were able to engage during testing. uh ask questions and begin prioritizing fixes right away. Uh and that’s exactly the experience that we aim for. Uh and the third thing here is that uh making remediation manageable. It’s one thing to identify issues. Uh it’s a completely other thing to track them, validate fixes, and uh communicate progress internally. Yeah, the feedback here really highlights that the workflow uh made that process easier especially when it comes to retesting and proving uh closure to the stakeholders. Right? So basically at the high level the common thread is your clear findings uh the collaborative process and the practical remediation uh follow through. Yeah. And I think I think that that that we we we touched a little bit on it, but but just being able to speed up that whole retest process and the validation stage of of hey, we fixed this. Is it truly resolved? You know, that that in and of itself is a is can can almost be a full other engagement. And so just being able to collaborate effectively on that on the retest and having that historical view for your customers over time, you know, continues to show your body of work that of of the value that you’ve provided um without losing the uniqueness of your company and how you actually have uh the unique touch that you have with your customers and and the processes that you already employ regardless of whether were you were using Plex Track or not. Right. Exactly. Yeah. So, uh, so one, we can’t thank you enough for for all sharing the insight and and the value. Um, Sarah, maybe share a little bit about anything that that we have coming and then I’m going to open it up to uh, so Q&A. We’ve got some questions here. If you have some questions for for us or for the Cybergard Advantage team, uh, feel free to throw that into the Q&A and then and then uh, and then we’ll jump in. So, absolutely. So um you know as obviously as uh Dan started Flex Track you know for that reporting automation company and as you guys uh may have seen you know we’ve obviously been entering into that exposure assessment uh platform category. We are recently uh named on the Gartner Magic Quadrant for that category. And so really, you know, we’re focused on keeping all of that great, you know, um, feature set and things that we have for our reporting, but really expanding that even u more so to really let Flex Track be that centralized data hub so that you can start bringing in, you know, your vulnerability management, start performing vulnerability management operations and really bringing those teams together inside of Plexra. So I think some of the things uh that we have that are really exciting coming up are you know we’re about to introduce our MCP server which can help our Plexra users just even you know utilize the platform even more quickly more efficiently uh through the MCP server and then we’re also working on some exciting new API integrations so that you can you know continuously bring that data in from tools like tennibal rapid 7 qualas etc while also having those you know pentest uh findings that you guys are uh entering in there as well. So uh really exciting but mainly focused on some you know big integrations coming up and some exciting uh adoption for MCP. Yeah, we’re always trying to innovate. We’re always trying to uh help our customers you make their lives as easy as possible so that they you know our mission is to help uh teams win the right cyber security battles right and that means staying focused on the right things. So being able to stay focused on the testing and getting those results written up as quickly as possible so that the people that are responsible for fixing them can have them in their hands faster and so that the issues get resolved hopefully before any any uh adversary actually identifies those weaknesses. So that’s that’s our mission. We’re always we’re always trying to innovate to help uh in all of those aspects of of the uh the workflow and life cycle. Um so let’s dive in. We’ve got a couple questions here and then you know if anybody else has questions feel free to uh feel free to chime in. Uh but uh the first question and I think this would be good good kind of for Ben and Ido is is there a concern about clients making remedial changes that could affect you know an ongoing pentest. So say you’re you know say you’re in the you know you’re you’re doing the engagement and I think this is how I understand the question otherwise you know we can have have this individual clarify but uh you they’re they’re continuing to remediate things while you’re still doing the test because you’ve delivered you know you delivered that critical finding right away which is important. So uh you know what what concerns or how have you have you kind of managed that process? So that was a concern at the beginning. We mostly solve that during the kickoffs and onboarding of new clients to the platform and how we actually want this process to work with the clients. So we have a responsibility sort of uh workflow of what uh they need to do what we need to do. Um sometimes specifically for web app testing that when remediation can affect the code that we are still testing there is a concern but again once we communicated to the customer ahead of time that how the process will work and they’re on board with that we stop seeing that most of the time. Um, also when we find something, we make sure it’s vetted and all the affected assets have been reported. So we don’t need to go back to that finding again in case they started fixing some of those. So I hope that answered that question. Yeah. Yeah. Absolutely. I mean, Edo, I don’t know if you had anything else to say regarding that and the process, but I was going to say it’s it comes down to communication. If the client knows that we are going to present something that they’re going to be dealing with live, then they’re not expecting us to uh like not touch that piece again or it it always comes down to the communication. As long as it’s clear in the kickoffs before we start, then when we get to it’s uh it’s a living process. Yeah. And and I I think what we’ve also seen is that customers are super grateful to have a consistent way to receive results mid-en engagement. uh because uh you know for a long I know you know many folks and maybe even yourselves you know they’ll have if there if it’s a longer engagement you may have like a status check-in kind of uh meeting or like a a briefing where hey here’s where here’s all that we’ve tested here’s here’s what we’ve done and being able to have those results you know live and ready uh is actually a welcome and so because you’ve already had the chance to write it up and deliver it you you haven’t lost track of the record of what you found you so that uh you can prove that hey you did some work and then they fixed it you know cuz I know I I was on some engagements at I’ve been on engagements where you know it was genuinely kind of a shoulder surfing scenario where I was doing some testing and they were right there and and I like hey this is going to be a finding and the guy was like hey if I just fix this right now does it have to go in the report? I’m like, well, yeah. I mean, because I have to show that I provided you value, right? It’s not it’s not a it’s not a matter of like getting you in trouble. It’s just like, hey, I want to I want to I want to earn my keep here. So, so you have that his you know, historical record and system of record with Plex Track while people can still immediately go fix the issues, which is which is the right, you know, right way to do it. Sarah, any any last comments on on that question? No, that was funny. you could offer a new live QA service right there as part of your offerings. No, I was just envisioning that. No, but I think also, you know, the fact that you can kind of choose if those things sync back to Plex or whatnot too, you know, gives you that flexibility and control. So, yeah. Yeah. Uh the next question is is probably Sarah probably this is a good one for you to take but is there a standard way to get pentest results and I can also help but is there a standard way to get pentest results into a v management and orchestration platform and you know and and I would say like that’s that’s what we can do. So I mean Sarah maybe talk a little bit about what we can do and where we’re going with that right. Yeah absolutely. So, you know, like I was mentioning before, we want to be that unified platform where you can still write those pentest results, but really, you know, publish that for your vault management team in that unified platform, you know, where you can support that continuous model or, you know, maybe that standalone uh delivery as well. But um but obviously with Plexra, you know, you can bring your uh results into Plexra and we automatically publish them, you know, into our vulner vulnerability management space as well. Um, other times we’ve seen customers just mainly do, you know, an export and uh import into other tools, per se. Uh, but we’re definitely aiming to make that easier uh within our single platform to have you just automatically publish those into that vulnerability management space. Yeah. And then, you know, like we obviously support a lot of different tools and API integrations. Uh, and if we don’t, we have a standard API framework that you can actually code against. So we have a lot of customers they may have some unique tools or some uh some some unique ways of of delivering results or you know generating generating findings u that we don’t maybe have an integration for they use our API or like a standard we have a standardized CSV format as well. So uh so lots of different ways to to get data in. Ben Ido it sounds like you know you you’re you’ve taken advantage of that. Have have you how has that worked for you? for us mostly or for our clients mostly it’s been working uh as intended I guess you can call it because and I don’t know if it’s specifically for V management platform but ticketing systems which is one of the features that Plexra allows here uh to integrate with the client’s ticketing system and basically that cuts down a lot of time and effort and visibility.

Great. Yeah. Um, so a couple more questions and then uh and then uh and then we can uh you know we can wrap up the session here by that. Um you know one of the questions that that actually didn’t come through the the the Q&A but I’ve got it here on the side. Um you know where have you actually seen the biggest time savings or have you just seen time savings in all the different phases? You know whether that’s during testing QA reporting you know just the write up itself or delivery where where have you seen like the most time savings? Um, for me it’s on the the end report part being able to as I go document report move on document report move on docu and integrating that into my workflow has uh that that’s the major uh timesaver there for me. Uh the alternative was that I would have to take another week in the end of every engagement just to put everything in order. Think about how I want to report every single finding there. What are the words that I should be including? what words should not be there? Uh screenshots, do I have everything? Um and having that sort of uh find, document, report, repeat it, it it this is the major timesaver in my opinion.

Yeah, that’s well that’s that’s great. Yeah. So um so so along that lines you know I think I think we kind of we’ve kind of discussed and highlighted that you know you had to change a little bit of your process and workflow you know from what you were doing before to using Plex Track what was what was it like for you know bringing the team on board from a testing perspective and reporting perspective were was there any hesitancy or any things that that they really had to work through on on changing and and how did they react to that or how what would what you know any tips for like truly just kind of coming on board with using Plex Track and maybe changing some of your processes. Yeah, there was definitely some uh growing pains at the beginning uh just seeing the the value of of the platform and uh the shifting of the testing approach where you can actually report on your findings before the the penetration test is done. Like usually they were thinking like do I do I have budget? Do I have time to finish the test? Why do I need this? Will I go over budget? So we made sure everything is uh is clear to them and budget is also pretty clear and uh by being more effective basically we usually come under budget uh sometimes uh the end of the day we want our operators to spend their time finding bugs and not fighting with word document formatting. Right? That’s the the main goal here. And they they saw the the all the good that they provided them and how fast that allowed them to provide and produce reports. Yeah. Yeah. And that’s and that’s that’s the goal, right? So, um, another question, does Plex Track include a recording of the actual test? And and I’m not sure exactly what that means, but like if you were using, you know, some kind of screen capture for for different uh test execution, you can include that as either in a couple of different ways within the report. You can include that as an artifact. We have an artifacts section within the reporting where you can upload you know any type of file that you know say is like a network diagram or you know specific code that you actually you know scripts that you ran but then also within the writeup uh of the finding itself you can add evidence. So you can add screenshots and then because it’s a dynamic you know living and breathing platform you can actually add videos as well. Uh, you know, being being a tester myself, I always love to be able to show customers, you know, a video from start to finish of how I exploited something, especially like in a web app, um, where you might have to like, you know, talk through a lot of different steps. So, the adage around Plexra is that a picture is worth a thousand words and a video is worth is worth a thousand pictures, maybe more. So, um, so there’s there there is the notion of being able to, you know, have the evidence around the actual testing capabilities to be able to be stored in Plexra as well, right? Okay, a couple more and then and then I think we’re we’re just at about time. Um, so if someone wanted to start automating their delivery model, what is the first step that you would recommend? You know, how do how do you go about uh doing this within Plexra? and and I guess maybe bringing your customers on board like you know was there any uh you know was there any kind of discussion around you you using this new dynamic platform? Uh there was of course discussion and uh our goal again was to make sure uh everything is clear by communicating what we expect this to produce to the client and what the value that they can get out of this. Uh again not all clients will chose to go because some of them are just looking for uh compliance and a checkbox activity which is fine. Uh but we want to go beyond that and that’s the value that they see in using this platform both from client side and from our internal team. Fantastic. Fantastic. All right. And then the final question I think is a good one to wrap up because it kind of it kind of highlights like what our vision has been for for a long time. Like somebody asked like why the name Plexra and Plexra is actually uh you know a merging of words that uh uh is a plexus. So a plexus is a fully meshed network. You know the the the idea being that we have a world full of testers and sources of findings and different companies and all these different uh different you know ecosystems within within cyber security and we’re all trying to actually accomplish the same mission of improving. So the the more fully meshed we are, the better we are together in terms of having that that connectivity and that centralization. Uh you know is that’s kind of like the notion of a plexus. Uh bringing that all together to actually track and remediate your findings to to completion and improving the security posture. That’s kind of how the name Plex Track came to be is like the the combination of a Plexus, a fully meshed network, and being able to highlight and have visibility across all of those different uh entities into a single source where you can uh show your progress over time is the tracking piece of track. So, so that’s that’s how the name Plex Track came to be. Um, it’s a great question. I get that I get that quite frequently as well. Um, so I just want to kind of as we wrap up, I want to kind of uh, you know, hand the hand the mic over to everybody for any kind of last last things to say and then we’ll let everybody get on uh, with their day. But Sarah, anything anything from your side? Yeah, definitely just want to remind anyone that you can contact our sales team or request a demo, right, to learn more about Plexra. We can walk you through that. We have a great onboarding team and uh, sales engineer team as well. And then of course you can also reach out to Cybergard uh for their services. And uh I think you know when I was looking uh at Cybergard, what I really like is the way that you guys kind of can offer that boutique experience to each of your clients. So they’re feeling very you know specialized and individualized where you can, you know, actually get that efficiency and save time behind the scenes. So yeah. Yeah. And I and I I’ll just highlight, you know, I I love working with our customers, love working with our partners uh like Cyberguard Advantage. We we view these relationships within Plexra as true partnerships to help help them grow, help you all uh do your business better so that you can uh deliver better services, deliver more frequent services, grow your businesses, we all grow together. Uh the rising tide lifts all ships kind of a a mentality. But um we truly do love partnering with folks. So, uh, if you’re interested, you know, check us out. Uh, Beno, uh, anything from your side? Uh, well, two things. First of all, Plexra, the Plexra team has great support as well because we as a client needs support. They have a great support uh portal and they answer very fast. And they also have uh I don’t remember how you call it, but idea platform. Any any clients that uses Plexra and has ideas on how to improve or feature requests, they can submit. We’ve seen some of the features get implemented. So great job there. Uh and I guess the last golden nugget from for me is that um here at Cyber Advantage, we we believe that the pentest is only as valuable as the fix that it enable enables. Uh and our collaboration with Plexra is is about shrinking the time between discovery and remediation. So our clients are actually safer, resilient, and not just compliant.

Yeah. No, thank you. Yeah, I any any last words? Ben just did it. I couldn’t have done it better. Yeah. Well, that was great. You know, thanks, Ben. And thanks, Ben and Ido for your time today. We know it’s valuable. We know you’re busy. Uh so really appreciate taking time to kind of share your experience with Plex Track. And again, thanks everybody for joining us. We hope you have a great rest of your week and uh this this uh this will be available for uh for download later if you have any questions. If you have if you have any questions, don’t hesitate to reach out to either team and uh we can certainly uh get you the answers. But I really appreciate your time. Hope you have a great rest of your day and we will catch you all next time. Thank you. Thanks everyone. Bye.
[Music]